<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>User Management</title>
<link rel="stylesheet" type="text/css" href="../C.css">
<script type="text/javascript" src="../jquery.js"></script><script type="text/javascript" src="../jquery.syntax.js"></script><script type="text/javascript" src="../yelp.js"></script>
</head>
<body id="home">
<!--<script src="https://ssl.google-analytics.com/urchin.js" type="text/javascript"></script><script type="text/javascript">
        _uacct = "UA-1018242-8";
        urchinTracker();
      </script><script>
      function englishPageVersion() {
        var href = window.location.href;
        if (href.slice(-1) == "/") {
                window.location = "index.html.en";
        } else {
                window.location = href.replace(/\.html.*/, ".html.en");
        }
         return false;
      }
      function browserPreferredLanguage() {
        var href = window.location.href;
        if (href.slice(-1) == "/") {
                window.location = href;
        } else {
                window.location = href.replace(/\.html.*/, ".html");
        }
        return false;
      }
      </script>--><div id="container">
<div id="container-inner">
<div id="mothership"><ul>
<li><a href="https://partners.ubuntu.com">Partners</a></li>
<li><a href="https://www.ubuntu.com/support/community-support">Support</a></li>
<li><a href="https://community.ubuntu.com">Community</a></li>
<li><a href="https://www.ubuntu.com">Ubuntu.com</a></li>
</ul></div>
<div id="header">
<h1 id="ubuntu-header"><a href="https://help.ubuntu.com/">Ubuntu Documentation</a></h1>
<ul id="main-menu">
<li><a class="main-menu-item current" href="https://help.ubuntu.com/">Official Documentation</a></li>
<li><a href="https://help.ubuntu.com/community/CommunityHelpWiki">Community Help Wiki</a></li>
<li><a href="https://community.ubuntu.com/t/contribute/26">Contribute</a></li>
</ul>
</div>
<div id="menu-search"><div id="search-box">
<noscript><form action="https://www.google.com/cse" id="cse-search-box"><div>
<input type="hidden" name="cx" value="003883529982892832976:e2vwumte3fq"><input type="hidden" name="ie" value="UTF-8"><input type="text" name="q" size="21"><input type="submit" name="sa" value="Search">
</div></form></noscript><!--
<script>
                document.write('<form action="https://help.ubuntu.com/search.html" id="cse-search-box">');
                document.write('  <div>');
                document.write('    <input type="hidden" name="cof" value="FORID:9">');
                document.write('    <input type="hidden" name="cx" value="003883529982892832976:e2vwumte3fq">');
                document.write('    <input type="hidden" name="ie" value="UTF-8">');
                document.write('    <input type="text" name="q" size="21">');
                document.write('    <input type="submit" name="sa" value="Search">');
                document.write('  </div>');
                document.write('</form>');
              </script>-->
</div></div>
<div class="trails"><div class="trail">
<a href="https://help.ubuntu.com/18.04" class="trail">Ubuntu 18.04</a> » <a class="trail" href="../index.html" title="Ubuntu Server Guide">Ubuntu Server Guide</a> » <a class="trail" href="security.html" title="Security">Security</a> » </div></div>
<div id="cwt-content" class="clearfix content-area"><div id="page">
<div id="content">
<div class="links nextlinks">
<a class="nextlinks-prev" href="security.html" title="Security">Previous</a><a class="nextlinks-next" href="console-security.html" title="Console Security">Next</a>
</div>
<div class="hgroup"><h1 class="title">User Management</h1></div>
<div class="region">
<div class="contents"><p class="para">
	User management is a critical part of maintaining a secure system.  Ineffective user and privilege management often lead many systems into being compromised. Therefore, it is important that you understand how you can protect your server through simple and effective user account management techniques.
	</p></div>
<div class="links sectionlinks" role="navigation"><ul>
<li class="links"><a class="xref" href="user-management.html#where-is-root" title="Where is root?">Where is root?</a></li>
<li class="links"><a class="xref" href="user-management.html#adding-deleting-users" title="Adding and Deleting Users">Adding and Deleting Users</a></li>
<li class="links"><a class="xref" href="user-management.html#user-profile-security" title="User Profile Security">User Profile Security</a></li>
<li class="links"><a class="xref" href="user-management.html#password-policy" title="Password Policy">Password Policy</a></li>
<li class="links"><a class="xref" href="user-management.html#other-security-considerations" title="Other Security Considerations">Other Security Considerations</a></li>
</ul></div>
<div class="sect2 sect" id="where-is-root"><div class="inner">
<div class="hgroup"><h2 class="title">Where is root?</h2></div>
<div class="region"><div class="contents">
<p class="para">
	Ubuntu developers made a conscientious decision to disable the administrative root account by default in all Ubuntu installations. This does not mean that the root account has been deleted or that it may not be accessed. It merely has been given a password which matches no possible encrypted value, therefore may not log in directly by itself.
	</p>
<p class="para">
	Instead, users are encouraged to make use of a tool by the name of <span class="app application">sudo</span> to carry out system administrative duties.  <span class="app application">Sudo</span> allows an authorized user to  temporarily elevate their privileges using their own password instead of having to know the password belonging to the root account. This simple yet effective methodology provides accountability for all user actions, and gives the administrator granular control over which actions a user can perform with said privileges.   
	</p>
<div class="list itemizedlist"><ul class="list itemizedlist">
<li class="list itemizedlist">
		<p class="para">
		If for some reason you wish to enable the root account, simply give it a password:
		</p>
		<div class="note" title="Note"><div class="inner"><div class="region"><div class="contents">
		<p class="para">
		Configurations with root passwords are not supported.
		</p>
		</div></div></div></div>
<div class="screen"><pre class="contents "><span class="cmd command">sudo passwd</span>
</pre></div>
		<p class="para">Sudo will prompt you for your password, and then ask you to supply a new password for root as shown below:
		</p>
<div class="screen"><pre class="contents "><span class="output computeroutput">[sudo] password for username:</span> <span class="input userinput">(enter your own password)</span>
<span class="output computeroutput">Enter new UNIX password:</span> <span class="input userinput">(enter a new password for root)</span>
<span class="output computeroutput">Retype new UNIX password:</span> <span class="input userinput">(repeat new password for root)</span>
<span class="output computeroutput">passwd: password updated successfully</span>
</pre></div>
		</li>
<li class="list itemizedlist">
		<p class="para">
		To disable the root account password, use the following passwd syntax:
		</p>
<div class="screen"><pre class="contents "><span class="cmd command">sudo passwd -l root</span>
</pre></div>
		<p class="para">
        However, to disable the root account itself, use the following command:
		</p>
<div class="screen"><pre class="contents "><span class="cmd command">usermod --expiredate 1</span>
</pre></div>
		</li>
<li class="list itemizedlist">
		<p class="para">
		You should read more on <span class="app application">Sudo</span> by reading the man page:
		</p>
<div class="screen"><pre class="contents "><span class="cmd command">man sudo</span>
</pre></div>
		</li>
</ul></div>
<p class="para">
			By default, the initial user created by the Ubuntu installer is a member of the group "<span class="em emphasis">sudo</span>" which is added to the file <span class="file filename">/etc/sudoers</span> as an authorized sudo user. If you wish to give any other account full root access through <span class="app application">sudo</span>, simply add them to the <span class="em emphasis">sudo</span> group.
		</p>
</div></div>
</div></div>
<div class="sect2 sect" id="adding-deleting-users"><div class="inner">
<div class="hgroup"><h2 class="title">Adding and Deleting Users</h2></div>
<div class="region"><div class="contents">
<p class="para">
	The process for managing local users and groups is straightforward and differs very little from most other GNU/Linux operating systems. Ubuntu and other Debian based distributions encourage the use of the "adduser" package for account management.
	</p>
<div class="list itemizedlist"><ul class="list itemizedlist">
<li class="list itemizedlist">
		<p class="para">
		To add a user account, use the following syntax, and follow the prompts to give the account a password and identifiable characteristics, such as a full name, phone number, etc.
		</p>
<div class="screen"><pre class="contents "><span class="cmd command">sudo adduser username</span>
</pre></div>
		</li>
<li class="list itemizedlist">
		<p class="para">
		To delete a user account and its primary group, use the following syntax:
		</p>
<div class="screen"><pre class="contents "><span class="cmd command">sudo deluser username</span>
</pre></div>
		<p class="para">
		Deleting an account does not remove their respective home folder. It is up to you whether or not you wish to delete the folder manually or keep it according to your desired retention policies.  
		</p>
		<p class="para">
		Remember, any user added later on with the same UID/GID as the previous owner will now have access to this folder if you have not taken the necessary precautions.
		</p>
		<p class="para">
		You may want to change these UID/GID values to something more appropriate, such as the root account, and perhaps even relocate the folder to avoid future conflicts:
		</p>
<div class="screen"><pre class="contents "><span class="cmd command">sudo chown -R root:root /home/username/</span>
<span class="cmd command">sudo mkdir /home/archived_users/</span>
<span class="cmd command">sudo mv /home/username /home/archived_users/</span>
</pre></div>
		</li>
<li class="list itemizedlist">
		<p class="para">
		To temporarily lock or unlock a user account, use the following syntax, respectively:
		</p>
<div class="screen"><pre class="contents "><span class="cmd command">sudo passwd -l username</span>
<span class="cmd command">sudo passwd -u username</span>
</pre></div>
		</li>
<li class="list itemizedlist">
		<p class="para">
		To add or delete a personalized group, use the following syntax, respectively:
		</p>
<div class="screen"><pre class="contents "><span class="cmd command">sudo addgroup groupname</span>
<span class="cmd command">sudo delgroup groupname</span>
</pre></div>
		</li>
<li class="list itemizedlist">
		<p class="para">
		To add a user to a group, use the following syntax:
		</p>
<div class="screen"><pre class="contents "><span class="cmd command">sudo adduser username groupname</span>
</pre></div>
		</li>
</ul></div>
</div></div>
</div></div>
<div class="sect2 sect" id="user-profile-security"><div class="inner">
<div class="hgroup"><h2 class="title">User Profile Security</h2></div>
<div class="region"><div class="contents">
<p class="para">
	When a new user is created, the adduser utility creates a brand new home directory named <span class="file filename">/home/username</span>. The default profile is modeled after the contents found in the directory of <span class="file filename">/etc/skel</span>, which includes all profile basics.  
	</p>
<p class="para">
	If your server will be home to multiple users, you should pay close attention to the user home directory permissions to ensure confidentiality. By default, user home directories in Ubuntu are created with world read/execute permissions. This means that all users can browse and access the contents of other users home directories. This may not be suitable for your environment.
	</p>
<div class="list itemizedlist"><ul class="list itemizedlist">
<li class="list itemizedlist">
		<p class="para">
		To verify your current user home directory permissions, use the following syntax:
		</p>
<div class="screen"><pre class="contents "><span class="cmd command">ls -ld /home/username</span>
</pre></div>
		<p class="para">The following output shows that the directory <span class="file filename">/home/username</span> has world-readable permissions:
		</p>
<div class="screen"><pre class="contents "><span class="output computeroutput">drwxr-xr-x  2 username username    4096 2007-10-02 20:03 username</span>
</pre></div>
		</li>
<li class="list itemizedlist">
		<p class="para">
		You can remove the world readable-permissions using the following syntax:
		</p>
<div class="screen"><pre class="contents "><span class="cmd command">sudo chmod 0750 /home/username</span>
</pre></div>
		<div class="note" title="Note"><div class="inner"><div class="region"><div class="contents">
		<p class="para">
		Some people tend to use the recursive option (-R) indiscriminately which modifies all child folders and files, but this is not necessary, and may yield other undesirable results. The parent directory alone is sufficient for preventing unauthorized access to anything below the parent.
		</p>
		</div></div></div></div>
		<p class="para">
		A much more efficient approach to the matter would be to modify the <span class="app application">adduser</span> global default permissions when creating user home folders. Simply edit the file <span class="file filename">/etc/adduser.conf</span> and modify the <span class="code varname">DIR_MODE</span> variable to something appropriate, so that all new home directories will receive the correct permissions.
		</p>
<div class="code"><pre class="contents ">DIR_MODE=0750
</pre></div>
		</li>
<li class="list itemizedlist">
		<p class="para">
		After correcting the directory permissions using any of the previously mentioned techniques, verify the results using the following syntax:
		</p>
<div class="screen"><pre class="contents "><span class="cmd command">ls -ld /home/username</span>
</pre></div>
		<p class="para">The results below show that world-readable permissions have been removed:
		</p>
<div class="screen"><pre class="contents "><span class="output computeroutput">drwxr-x---   2 username username    4096 2007-10-02 20:03 username</span>
</pre></div>
		</li>
</ul></div>
</div></div>
</div></div>
<div class="sect2 sect" id="password-policy"><div class="inner">
<div class="hgroup"><h2 class="title">Password Policy</h2></div>
<div class="region">
<div class="contents"><p class="para">
	A strong password policy is one of the most important aspects of your security posture. Many successful security breaches involve simple brute force and dictionary attacks against weak passwords. If you intend to offer any form of remote access involving your local password system, make sure you adequately address minimum password complexity requirements, maximum password lifetimes, and frequent audits of your authentication systems.
	</p></div>
<div class="sect3 sect" id="minimum-password-length"><div class="inner">
<div class="hgroup"><h3 class="title">Minimum Password Length</h3></div>
<div class="region"><div class="contents">
<p class="para">
	By default, Ubuntu requires a minimum password length of 6 characters, as well as some basic entropy checks. These values are controlled in the file <span class="file filename">/etc/pam.d/common-password</span>, which is outlined below.
	</p>
<div class="code"><pre class="contents ">password        [success=1 default=ignore]      pam_unix.so obscure sha512
</pre></div>
<p class="para">
If you would like to adjust the minimum length to 8 characters, change the appropriate variable to min=8. The modification is outlined below.
	</p>
<div class="code"><pre class="contents ">password        [success=1 default=ignore]      pam_unix.so obscure sha512 minlen=8
</pre></div>
<div class="note" title="Note"><div class="inner"><div class="region"><div class="contents">
                <p class="para">
                Basic password entropy checks and minimum length rules do not apply to the administrator using sudo level commands to setup a new user.
                </p>
                </div></div></div></div>
</div></div>
</div></div>
<div class="sect3 sect" id="password-expiration"><div class="inner">
<div class="hgroup"><h3 class="title">Password Expiration</h3></div>
<div class="region"><div class="contents">
<p class="para">
	When creating user accounts, you should make it a policy to have a minimum and maximum password age forcing users to change their passwords when they expire.
	</p>
<div class="list itemizedlist"><ul class="list itemizedlist">
<li class="list itemizedlist">
		<p class="para">
		To easily view the current status of a user account, use the following syntax:
		</p>
<div class="screen"><pre class="contents "><span class="cmd command">sudo chage -l username</span>
</pre></div>
		<p class="para">The output below shows interesting facts about the user account, namely that there are no policies applied:
		</p>
<div class="screen"><pre class="contents "><span class="output computeroutput">Last password change                                    : Jan 20, 2015
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7</span>
</pre></div>
		</li>
<li class="list itemizedlist">
		<p class="para">
		To set any of these values, simply use the following syntax, and follow the interactive prompts:
		</p>
<div class="screen"><pre class="contents "><span class="cmd command">sudo chage username</span>
</pre></div>
		<p class="para">
		The following is also an example of how you can manually change the explicit expiration date (-E) to 01/31/2015, minimum password age (-m) of 5 days, maximum password  age (-M) of 90 days, inactivity period (-I) of 5 days after password expiration, and a warning time period (-W) of 14 days before password expiration:
		</p>
<div class="screen"><pre class="contents "><span class="cmd command">sudo chage -E 01/31/2015 -m 5 -M 90 -I 30 -W 14 username</span>
</pre></div>
		</li>
<li class="list itemizedlist">
		<p class="para">
		To verify changes, use the same syntax as mentioned previously:
		</p>
<div class="screen"><pre class="contents "><span class="cmd command">sudo chage -l username</span>
</pre></div>
		<p class="para">The output below shows the new policies that have been established for the account:
		</p>
<div class="screen"><pre class="contents "><span class="output computeroutput">Last password change                                    : Jan 20, 2015
Password expires                                        : Apr 19, 2015
Password inactive                                       : May 19, 2015
Account expires                                         : Jan 31, 2015
Minimum number of days between password change          : 5
Maximum number of days between password change          : 90
Number of days of warning before password expires       : 14</span>
</pre></div>
		</li>
</ul></div>
</div></div>
</div></div>
</div>
</div></div>
<div class="sect2 sect" id="other-security-considerations"><div class="inner">
<div class="hgroup"><h2 class="title">Other Security Considerations</h2></div>
<div class="region">
<div class="contents"><p class="para">
	Many applications use alternate authentication mechanisms that can be easily overlooked by even experienced system administrators.  Therefore, it is important to understand and control how users authenticate and gain access to services and applications on your server.
	</p></div>
<div class="sect3 sect" id="ssh-access-by-disabled-users"><div class="inner">
<div class="hgroup"><h3 class="title">SSH Access by Disabled Users</h3></div>
<div class="region"><div class="contents">
<p class="para">
	Simply disabling/locking a user account will not prevent a user from logging into your server remotely if they have previously set up RSA public key authentication. They will still be able to gain shell access to the server, without the need for any password. Remember to check the users home directory for files that will allow for this type of authenticated SSH access, e.g. <span class="file filename">/home/username/.ssh/authorized_keys</span>.
	</p>
<p class="para">
	Remove or rename the directory <span class="file filename">.ssh/</span> in the user's home folder to prevent further SSH authentication capabilities.
	</p>
<p class="para">
	Be sure to check for any established SSH connections by the disabled user, as it is possible they may have existing inbound or outbound connections. Kill any that are found.
	</p>
<div class="screen"><pre class="contents "><span class="cmd command">who | grep username</span>  (to get the pts/# terminal)
<span class="cmd command">sudo pkill -f pts/#</span>
</pre></div>
<p class="para">
	Restrict SSH access to only user accounts that should have it. For example, you may create a group called "sshlogin" and add the group name as the value associated with the <span class="code varname">AllowGroups</span> variable located in the file <span class="file filename">/etc/ssh/sshd_config</span>.
	</p>
<div class="code"><pre class="contents ">AllowGroups sshlogin
</pre></div>
<p class="para">
	Then add your permitted SSH users to the group "sshlogin", and restart the SSH service.
	</p>
<div class="screen"><pre class="contents "><span class="cmd command">sudo adduser username sshlogin</span>
<span class="cmd command">sudo systemctl restart sshd.service</span>
</pre></div>
</div></div>
</div></div>
<div class="sect3 sect" id="external-db-auth"><div class="inner">
<div class="hgroup"><h3 class="title">External User Database Authentication</h3></div>
<div class="region"><div class="contents"><p class="para">
	Most enterprise networks require centralized authentication and access controls for all system resources. If you have configured your server to authenticate users against external databases, be sure to disable the user accounts both externally and locally. This way you ensure that local fallback authentication is not possible.
	</p></div></div>
</div></div>
</div>
</div></div>
</div>
<div class="links nextlinks">
<a class="nextlinks-prev" href="security.html" title="Security">Previous</a><a class="nextlinks-next" href="console-security.html" title="Console Security">Next</a>
</div>
<div class="clear"></div>
</div>
<div id="pagebottom"></div>
</div></div>
</div>
<div id="footer"><p>The material in this document is available under a free license, see <a href="https://help.ubuntu.com/legal.html">Legal</a> for details.<br>
          For information on contributing see the <a href="https://wiki.ubuntu.com/DocumentationTeam">Ubuntu Documentation Team wiki page</a>.
          To report errors in this serverguide documentation, <a href="https://bugs.launchpad.net/serverguide">file a bug report</a>.</p></div>
</div>
</body>
</html>
